The original design of the Domain Name System (DNS) protocol and its primary use of the User Datagram Protocol (UDP) for transport leave it vulnerable to use in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. The term DoS will be used herein to denote both types of attacks. In such attacks, name servers may be the intended target, or may be used as a reflection point to harm a third-party. In both cases, source IP addresses are often spoofed. DoS attacks can be characterized by the intention of the attacker to disrupt the operation of the victim, by starving it of computer resources or preventing other legitimate users from reaching the victim's servers by depleting its resources (such as bandwidth, CPU cycles, memory). DoS attacks have an enormous adverse impact on businesses in particular and are becoming even more prevalent than fast-spreading worms or DNS poisoning, primarily due to the ease of implementation, availability of resources, and difficulty of identification of the attacker, whose profile could range from a single individual seeking peer group recognition, or else is unhappy with an organization, to a group with commercial or cyber-terrorist aims.
Many DoS attack modes over the Internet and such communications systems exploit characteristics and limitations in transmission and routing rules and protocols which govern the delivery of packets over a network. As is well known, these transmission protocols in the network and transport layers include the Internet Protocol (IP), the Internet Control Message Protocol (ICMP) the Transport Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP is a connection-oriented protocol which enables two hosts to establish a connection to exchange in-sequence data in a reliable manner. This reliability stems in part from the receiver's acknowledging the receipt of packets received in the correct sequence number order, usually by way of an acknowledgment (ACK) packet or message. Furthermore, if an expected packet is not received at the receiver or far end within a reasonable round-trip time, a timer will cause a timeout wherein the expected packet is deemed to be missing. Whenever an expected packet is not received, this will be transmitted by the sending end.
In contrast, UDP is a connectionless transport protocol, which transmits traffic in an unreliable manner over the network. As is known, UDP transmits segments including source and destination ports which define end points within the source and destination machines, which allow for the correct delivery of the segments. No connection setup is required for a UDP transmission, making this protocol a preferred choice for DoS attackers.
While TCP and UDP are transport layer protocols, ICMP functions at the network layer and serves to flag up unusual events and errors in the processing of datagrams within the Internet.
The typical DoS attack mode is to flood the receiver with so much traffic that the victim's resources are consumed in dealing with the maliciously-sent traffic, and there is none left for the receiver's own legitimate functions, causing the receiver's system to operate at a reduced speed or worse, to hang or crash. Network equipment can be overwhelmed in an attack even before the traffic reaches its intended victim, as routers, servers, firewalls and so on would have capacity, memory and other limits which may be stressed by the speed and/or volume of the attack transmission. The flooding traffic can take the form of the use of a high packet rate, the sending of many small packets, and the like. Known variations of flooding attack techniques include SYN floods, ICMP floods, UDP floods and the like, each of which have their own characteristics, but in all cases they involve sending a large amount of data, typically at a high speed, to the victim.
Attacks can be performed either by a single malicious sender, or can be the concerted action of a number of machines in what is known as a DDoS attack. In this case, the concerted action can be controlled by a single, master machine which controls the action of a network “zombies” being computers including a daemon which the master machine uses to launch a flooding DoS attack, or “bots” being client computer programs running in the background which can be controlled by a remote master computer to automatically launch a flooding attack. These sending entities may be hosted on an infected or compromised machine used by a user who is innocent of the malicious flooding traffic emanating from his computer. In such cases, the identity of the sender, e.g., attacker, and/or master computer is also concealed. In yet another variation, the attacker falsifies (or “spoofs”) the source address of the attack packets, such that the flood response messages are delivered to a third-party victim.
In more recent attacks, attackers on two occasions spoofed DNS query packets from a wide range of IP addresses. Because of the wide range of these attacks, the rate of packets from a particular source IP address or range of IP address was below the threshold that triggered RRL.
Accordingly, improved DoS techniques that addresses the aforementioned issues are needed.